---
# SPDX-License-Identifier: Apache-2.0
-# SPDX-FileCopyrightText: 2023 The Linux Foundation, 2025 OpenInfra Foundation Europe
+# SPDX-FileCopyrightText: 2025 The Linux Foundation
name: 'Release Helm Charts'
tags:
- '**'
- # Manual trigger for debugging
- # Note: Mandatory Gerrit variables switched to optional
- workflow_dispatch:
- inputs:
- # Optional Gerrit inputs
- GERRIT_BRANCH:
- description: "Branch that change is against"
- required: false
- type: string
- GERRIT_CHANGE_ID:
- description: "The ID for the change"
- required: false
- type: string
- GERRIT_CHANGE_NUMBER:
- description: "The Gerrit number"
- required: false
- type: string
- GERRIT_CHANGE_URL:
- description: "URL to the change"
- required: false
- type: string
- GERRIT_EVENT_TYPE:
- description: "Type of Gerrit event"
- required: false
- type: string
- GERRIT_PATCHSET_NUMBER:
- description: "The patch number for the change"
- required: false
- type: string
- GERRIT_PATCHSET_REVISION:
- description: "The revision sha"
- required: false
- type: string
- GERRIT_PROJECT:
- description: "Project in Gerrit"
- required: false
- type: string
- GERRIT_REFSPEC:
- description: "Gerrit refspec of change"
- required: false
- type: string
- GERRIT_DISABLED:
- description: "Run without Gerrit components"
- required: false
- default: false
- type: boolean
-
concurrency:
# yamllint disable-line rule:line-length
group: publish-release-${{ github.workflow }}-${{ github.event.inputs.GERRIT_CHANGE_ID || github.run_id }}
RIC_DEP_CI_DOCKER_FILE: 'ci/Dockerfile'
jobs:
- notify:
+ repository-metadata:
+ name: "Repository Metadata"
runs-on: ubuntu-latest
+ permissions:
+ contents: read
+ pull-requests: read
+ timeout-minutes: 5
steps:
+ # yamllint disable-line rule:line-length
+ - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+ with:
+ egress-policy: audit
+
+ # yamllint disable-line rule:line-length
+ - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+ with:
+ fetch-depth: 0
+
- name: "Gather repository metadata"
id: repo-metadata
# yamllint disable-line rule:line-length
artifact_upload: 'true'
artifact_formats: 'json'
- - name: Notify job start
+ tag-validate:
+ name: 'Validate Tag Push'
+ runs-on: 'ubuntu-latest'
+ permissions:
+ contents: read
+ timeout-minutes: 2
+ outputs:
+ tag: "${{ steps.tag-validate.outputs.tag_name }}"
+ steps:
+ # Harden the runner used by this workflow
+ # yamllint disable-line rule:line-length
+ - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+ with:
+ egress-policy: 'audit'
+
+ - name: 'Checkout repository'
# yamllint disable-line rule:line-length
- uses: lfreleng-actions/gerrit-review-action@6d2e00dfd3173cd9a36d11350c8fba44731c7b4e # v0.10.0
- if: github.event_name == 'workflow_dispatch' && inputs.GERRIT_DISABLED != true
+ uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
with:
- host: ${{ vars.GERRIT_SERVER }}
- username: ${{ vars.GERRIT_SSH_USER }}
- key: ${{ secrets.GERRIT_SSH_PRIVKEY }}
- known_hosts: ${{ vars.GERRIT_KNOWN_HOSTS }}
- gerrit-change-number: ${{ inputs.GERRIT_CHANGE_NUMBER }}
- gerrit-patchset-number: ${{ inputs.GERRIT_PATCHSET_NUMBER }}
- comment-only: 'true'
+ fetch-depth: 0
+ fetch-tags: true
+
+ - name: 'Verify pushed tag'
+ id: 'tag-validate'
+ # yamllint disable-line rule:line-length
+ uses: lfreleng-actions/tag-validate-action@fix-ssh-signature-detection # Testing
+ with:
+ require_type: 'calver'
+ require_signed: 'true'
+ token: "${{ secrets.GITHUB_TOKEN }}"
+
+ - name: 'Reject development tags'
+ if: steps.tag-validate.outputs.development_tag == 'true'
+ shell: bash
+ run: |
+ # Reject development tags
+ echo "Development tag pushed; aborting release workflow 🛑"
+ echo "Development tag pushed; aborting release workflow 🛑" \
+ >> "$GITHUB_STEP_SUMMARY"
+ exit 1
verify-and-publish:
name: 'Build/Verify Helm Charts'
- needs: [notify]
- if: always()
+ needs: [tag-validate]
runs-on: 'ubuntu-latest'
outputs:
charts_build_dir: "${{ env.CHARTS_BUILD_DIR }}"
timeout-minutes: 20
steps:
# yamllint disable-line rule:line-length
- - uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
+ - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
with:
egress-policy: audit
- name: Load secrets from 1Password
- uses: 1password/load-secrets-action@13f58eec611f8e5db52ec16247f58c508398f3e6 # v3.0.0
+ uses: 1password/load-secrets-action@8d0d610af187e78a2772c2d18d627f4c52d3fbfb # v3.1.0
with:
export-env: true
env:
echo "set=true" >> $GITHUB_OUTPUT
fi
- - name: "Exit early for 1Password integration"
- run: |
- # Exit early for 1Password integration
- exit 0
-
- - name: 'Checkout Gerrit change'
+ # No need for Gerrit checkout; triggered on tag push
+ # GitHub is already in sync with Gerrit state
+ - name: 'Checkout repository'
# yamllint disable-line rule:line-length
- uses: lfreleng-actions/checkout-gerrit-change-action@54d751e8bd167bc91f7d665dabe33fae87aaaa63 # v0.9
- with:
- gerrit-project: ${{ inputs.GERRIT_PROJECT }}
- gerrit-refspec: ${{ inputs.GERRIT_REFSPEC }}
- delay: "0s"
+ uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
- name: 'Display workflow environment'
shell: bash
- name: 'Set up Docker Buildx'
# yamllint disable-line rule:line-length
- uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+ uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
- name: 'Build pre-requisites, install Helm plugins'
id: pre-requisites
- name: 'Start ChartMuseum'
id: chartmuseum
# yamllint disable-line rule:line-length
- uses: lfreleng-actions/chartmuseum-action@fd69b10b8a21548c0eb99b13f52ed40875057dbf # v0.1.5
+ uses: lfreleng-actions/chartmuseum-action@7f3e1314e831894078f9a7ad74cea2ea0975d505 # v0.1.6
with:
username: 'chartmuseum'
password: "${{ secrets.GITHUB_TOKEN }}"
# Makefiles publish to Chartmeusem service locally
- name: 'Build onap_oom'
# yamllint disable-line rule:line-length
- uses: lfreleng-actions/make-action@d2b447abd5db8425f4fbbb27b953133861137a66 # v0.1.2
+ uses: lfreleng-actions/make-action@e07201ee8e3d1f34800f1c63f58415624a8c054c # v0.1.3
with:
make_args: "-C smo-install/onap_oom/kubernetes -e SKIP_LINT=TRUE"
# Makefiles publish to Chartmeusem service locally
- name: 'Build oran_oom'
# yamllint disable-line rule:line-length
- uses: lfreleng-actions/make-action@d2b447abd5db8425f4fbbb27b953133861137a66 # v0.1.2
+ uses: lfreleng-actions/make-action@e07201ee8e3d1f34800f1c63f58415624a8c054c # v0.1.3
with:
make_args: "-C smo-install/oran_oom"
# Makefiles publish to Chartmeusem service locally
- name: 'Build oran_oom/smo'
# yamllint disable-line rule:line-length
- uses: lfreleng-actions/make-action@d2b447abd5db8425f4fbbb27b953133861137a66 # v0.1.2
+ uses: lfreleng-actions/make-action@e07201ee8e3d1f34800f1c63f58415624a8c054c # v0.1.3
with:
make_args: "-C smo-install/oran_oom/smo"
# Makefiles publish to Chartmeusem service locally
- name: 'Build tests_oom'
# yamllint disable-line rule:line-length
- uses: lfreleng-actions/make-action@d2b447abd5db8425f4fbbb27b953133861137a66 # v0.1.2
+ uses: lfreleng-actions/make-action@e07201ee8e3d1f34800f1c63f58415624a8c054c # v0.1.3
with:
make_args: "-C smo-install/tests_oom"
tags: ""
- name: 'Publish to Nexus3 (Helm Snapshot)'
- uses: lfreleng-actions/nexus-publish-action@b53a4638789cba03279c97aeab7f0ce10dbfa991 # v0.1.3
+ uses: lfreleng-actions/nexus-publish-action@b53a4638789cba03279c97aeab7f0ce10dbfa991 # v0.1.4
# Note: changed from verify for 1Password integration
with:
nexus_server: "${{ vars.NEXUS3_SERVER }}"
nexus_username: "${{ github.event.repository.name }}"
- nexus_password: "${{ env.NEXUS_PASSWORD }}"
+ nexus_password: "${{ secrets.NEXUS_PASSWORD }}"
repository_format: 'raw'
repository_name: 'helm.release'
files_path: "${{ env.CHARTS_BUILD_DIR }}"
file_pattern: '*.tgz'
permit_fail: true
-
- report-status:
- if: ${{ always() && github.event_name == 'workflow_dispatch' && inputs.GERRIT_DISABLED != true }}
- needs: [notify, verify-and-publish]
- runs-on: ubuntu-latest
- steps:
- - name: Get conclusion
- # yamllint disable-line rule:line-length
- uses: im-open/workflow-conclusion@e4f7c4980600fbe0818173e30931d3550801b992 # v2.2.3
-
- - name: Report workflow conclusion
- # yamllint disable-line rule:line-length
- uses: lfreleng-actions/gerrit-review-action@537251ec667665b386f70b330b05446e3fc29087 # v0.9
- with:
- host: ${{ vars.GERRIT_SERVER }}
- username: ${{ vars.GERRIT_SSH_USER }}
- key: ${{ secrets.GERRIT_SSH_PRIVKEY }}
- known_hosts: ${{ vars.GERRIT_KNOWN_HOSTS }}
- gerrit-change-number: ${{ inputs.GERRIT_CHANGE_NUMBER }}
- gerrit-patchset-number: ${{ inputs.GERRIT_PATCHSET_NUMBER }}
- vote-type: ${{ env.WORKFLOW_CONCLUSION }}
- comment-only: 'true'
Code Review / it / dep.git / commitdiff